[117743] in Cypherpunks
Re: plausible CAPI recovery designs (Re: FW: Cryptonym...)
daemon@ATHENA.MIT.EDU (Adam Back)
Thu Sep 9 18:10:05 1999
Date: Thu, 9 Sep 1999 22:50:12 +0100
Message-Id: <199909092150.WAA23621@server.cypherspace.org>
To: die@die.com
From: Adam Back <adam@cypherspace.org>
Cc: cypherpunks@cyberpass.net
Cc: schneier@counterpane.com
In-reply-to: <19990909165823.D24516@die.com> (message from Dave Emery on Thu,
9 Sep 1999 16:58:23 -0400)
Reply-To: Adam Back <adam@cypherspace.org>
Dave Emery writes:
> Is it in fact true that someone actually verified this by
> decompiling enough of the DLL to unambiguously prove that NSAKEY is
> completely equivalent to the MS KEY as far as signing crypto modules
> goes ?
I read the following:
(Schneier article forwarded by Bob Hettinga to cryptography &
cypherpunks lists from pgp-users list):
: Microsoft has two keys, a primary and a spare. The Crypto-Gram
: article talked about attacks based on the fact that a crypto suite
: is considered signed if it is signed by EITHER key, and that there
: is no mechanism for transitioning from the primary key to the
: backup. It's stupid cryptography, but the sort of thing you'd
: expect out of Microsoft.
: [...]
but not the quoted article:
: http://www.counterpane.com/crypto-gram-9904.html#certificates
having read the quoted article I think Schneier may have got his wires
crossed here. Unless I am misunderstanding something, I think the
CAPI authentication keys are entirely separate from the Authenticode
keys. Schneier's referenced cryptogram article (URL above) seems to
be referring exclusively to the authenticode keys, and the fact that
there are two keys in *it*. However his article to pgp-users quoted
above seems to imply that this is all old news and that the 2nd
authenticode key is the CAPI NSAKEY.
> And just to make sure, has this also been actually verified by
> overwriting NSAKEY with a public key with a known private half and
> successfully loading and using a crypto module signed only with that
> substituted key ?
Andrew Fernandes (the cryptonym guy) has a demo program to replace the
NSAKEY (though he wants you to sign an NDA to get it and I haven't
done this). He looked at the code and he says on his web page that he
thinks it will 'silently fall through to the 2nd key'.
> Also, what is known about *other* uses of the two keys, and the
> authentication service they provide. Does anyobody really know for
> certain that they are *only* used to authenticate CAPI modules as part
> of the ITAR nonsense ?
Unknown.
> Or could they also be used to authenticate many other objects as
> official Microsoft ? It would certainly seem to me that once one
> has such a facility, it might be useful as a means of authenticating
> all sorts of Microsft debugging and anti-piracy back doors.
There is the authenticode system which I think they use for that kind
of thing -- ensuring you have true microsoft code.
Adam